Secret calculation method, secret calculation system, sorting device, and program

ABSTRACT

Secret calculation including secret sorting is performed at high speed. Permutation data generation step S 10  generates permutation data &lt;π i &gt; and &lt;π′ i &gt; so as to generate permutation data &lt;π L &gt;. Random ID column generation step S 12  generates a random ID column [r{right arrow over ( )} i ] so as to generate a random ID column [r{right arrow over ( )} L ]. Secret random permutation step S 14  performs secret random permutation of a set composed of a random ID column [r{right arrow over ( )} i−1 ], a key column [k{right arrow over ( )} i ], and the random ID column [r{right arrow over ( )} i ] with the permutation data &lt;π i &gt;. Flag creation step S 16  sets a flag [f j,h ] by using a key [k j ]=([k j,0 ], . . . , [k j,L−1 ]). Order table creation step S 18  creates an order table [s{right arrow over ( )}] by using the flag [f j,h ]. Sort permutation generation step S 20  generates sort permutation σπ −i   L  by using the random ID column [r{right arrow over ( )} i ], the order table [s{right arrow over ( )}], a post-permutation key column [π i k{right arrow over ( )} i ], and a post-permutation random ID column [π i r{right arrow over ( )} i ].

TECHNICAL FIELD

The present invention relates to a secret calculation technique, andespecially relates to a technique for performing secret sorting.

BACKGROUND ART

Secret calculation is a technique in which data processing is performedwhile concealing data by secret sharing. The secret sharing is atechnique in which data is converted into a plurality of distributedvalues so that original data can be restored by using a certain numberor more number of pieces of distributed values, while original datacannot be restored by using distributed values of which the number ofpieces is smaller than the certain number. The secret sharing can becategorized into several kinds. Examples of the secret sharing include(k,n)-secret sharing, permutation data secret sharing, and the like.

The (k,n)-secret sharing is secret sharing in which a plain text whichis inputted is divided into n pieces of shares so as to be distributedto n pieces of parties P=(p₀, . . . , p_(n−1)) in advance. The plaintext can be restored when arbitrary k pieces of shares are provided. Anyinformation on the plain text cannot be obtained from shares of whichthe number is smaller than k. Specific examples of types of the(k,n)-secret sharing include Shamir secret sharing, reproduction secretsharing, and the like.

The permutation data secret sharing is secret sharing performed whileconcealing permutation data. The permutation data is data representingthe rearrangement way in rearrangement of data columns. When m pieces ofdata columns are rearranged, permutation data π having the volume m isdata representing a bijective map π:N_(m)→N₁₁₁. Here, N_(m) represents acollection of non-negative integers which are smaller than an arbitraryinteger m. For example, data of which elements in vectors x{right arrowover ( )}ε(N_(m))^(m) are different from each other can be assumed asrandom permutation data having the volume m.

More specifically, a vector x{right arrow over ( )}=(3,0,2,1) can beassumed as random permutation data having the volume 4. For example, itis assumed to rearrange the data column y{right arrow over ()}=(1,5,7,10) by the vector x{right arrow over ( )}. 1 which is the 0thelement of the data column y{right arrow over ( )} is moved to the thirdposition represented by the 0th element of the vector x{right arrow over( )}. 5 which is the first element of the data column y{right arrow over( )} is moved to the 0th position represented by the first element ofthe vector x{right arrow over ( )}. In a similar manner, 7 is moved tothe second position and 10 is moved to the first position. As a result,the post-permutation data column z{right arrow over ( )}=(5,10,7,1) isobtained.

In the permutation data secret sharing, permutation data is concealed bythe following procedure. It is assumed that there are N pieces of kparty groups of columns P=ρ₀, . . . , ρ_(N−1). For example, when k=2,each k party group ρ_(i) is a set (p₀,p₁) of the party p₀ and the partyp₁, a set (p₀,p₂) of the party p₀ and the party p₂, or the like. It isassumed that all parties in each k party group ρ_(i) mutually share thepermutation data π_(pi) and the permutation data π_(ρi) is not informedto a complement ρ _(i). Further, a corresponding plain text is assumedto be π₀(π₁( . . . (π_(N−1)(I)) . . . )). Here, I represents permutationin which output is performed in the same arrangement as that of input,that is, identical permutation. In this case, if the k party groups ofcolumns P=ρ₀, . . . , ρ_(N−1) is set so that “(condition 1) anycomplement ρ _(i) satisfies ρ

ρ _(i) with respect to an arbitrary k−1 party group ρ”, any permutationdata π_(ρi) is unknown in any coupling of the k−1 party.

For example, when the number n of parties satisfies n≧2k−1, theabove-mentioned condition 1 is satisfied if the column P of the k partygroups is set as a collection including all the k party groups. Further,when the number n of parties satisfies n>2k−1, the above-mentionedcondition 1 is sometimes satisfied even if not all the k party groupsare included. For example, when k=2 and n=4, the condition 1 issatisfied though {(p₀,p₁),(p₂,p₃)} does not include all the k partygroups.

Secret sorting is processing for rearranging values in accordance with acertain rule based on a key order relation while concealing keys andvalues which are subjected to secret sharing. As a related art forperforming the secret sorting, a technique described in Non-patentLiterature 1 is disclosed.

In the secret sorting described in Non-patent Literature 1, a secretsharing value [v{right arrow over ( )}] of the value column v{rightarrow over ( )} and secret sharing values [k{right arrow over ()}_(L−1)], . . . , [k{right arrow over ( )}₀] of the key column k{rightarrow over ( )} are inputted and a secret sharing value [σv{right arrowover ( )}] of the value column σv{right arrow over ( )} which issubjected to alignment is outputted. Here, σ is a permutation functionrepresenting sorting. (1) The permutation function σ₀ is first set asidentical mapping on Z_(m). Here, Z_(m) is a collection of integerswhich are equal to or larger than 0 and smaller than m. (2) The randomID column [h{right arrow over ( )}]:=[I] is set. Here, I representsidentical permutation. (3) Processing from (4) to (14) described belowis executed with respect to i=0, . . . , L−1. (4) The permutation data<π₀>, <π₁>, and <π₂> are generated. (5) [σ_(i−1)k{right arrow over ()}_(i)] is stably sorted by 1 bit so as to generate the order table[s{right arrow over ( )}]. (6) Secret random permutation of([σ_(i)h{right arrow over ( )}],[s{right arrow over ( )}]) is performedwith the permutation data <π₀> so as to generate ([π₀σ_(i)h{right arrowover ( )}],[π₀s{right arrow over ( )}]). (7) If i=L, the process goes to(15) described below. (8) Secret random permutation of ([h{right arrowover ( )}],[k{right arrow over ( )}_(i+1)]) is performed with thepermutation data <π₁> so as to generate ([π₁h{right arrow over ()}],[π₁k{right arrow over ( )}_(i+1)]). (9) [π₁h{right arrow over ( )}]and [π₀σ_(i)h{right arrow over ( )}] are restored. (10) [π₀σ_(i)k{rightarrow over ( )}_(i+1)]:=π₀σ_(i)h{right arrow over ( )}(π₁h{right arrowover ( )})⁻¹[π₁k{right arrow over ( )}_(i+1)] is calculated. (11) Secretrandom permutation of ([π₀σ_(i)h{right arrow over ( )}],[π₀s{right arrowover ( )}],[π₀σ_(i)k{right arrow over ( )}_(i+1)]) is performed with thepermutation data <π₂> so as to generate ([π₂₀σ_(i)h{right arrow over ()}],[π₂₀s{right arrow over ( )}>],[π₂₀σ_(i)k{right arrow over ()}_(i+1)]). Here, π₂₀−π₂π₀ holds. (12) [π₂₀s{right arrow over ( )}>] isrestored. (13) ([s{right arrow over ( )}⁻¹σ_(i)h{right arrow over ()}],[s{right arrow over ( )}⁻¹σ_(i)k{right arrow over ()}_(i+1)]):=(π₂₀s{right arrow over ( )})⁻¹([π₂₀σ_(i){right arrow over ()}],[π₂₀σ_(i)k{right arrow over ( )}_(i+1)]) is calculated. (14)Permutation function σ_(i+1):=s{right arrow over ( )}⁻¹σ_(i) is set.(15) [π₀s{right arrow over ( )}] and [s{right arrow over ( )}⁻¹σ_(i)h]are restored. (16) Permutation function σ_(L):=s{right arrow over ()}⁻¹σ_(L−1) is set. (17) The permutation data <π₃> is generated. (18)Permutation of [h{right arrow over ( )}] and [v{right arrow over ( )}]is performed with the permutation data <π₃> so as to generate([π₃h{right arrow over ( )}],[π₃v{right arrow over ( )}]). (19)[π₃h{right arrow over ( )}] and [σ_(L)h{right arrow over ( )}] arerestored so as to output [σv{right arrow over ( )}]:=σ_(L)h{right arrowover ( )}(π₃h{right arrow over ( )})⁻¹[π₃v{right arrow over ( )}]. Here,permutation function σ=σ_(L).

PRIOR ART LITERATURE Non-Patent Literature

Non-patent Literature 1: Koki Hamada, Dai Ikarashi, Koji Chida, KatsumiTakahashi: “A linear time sorting algorithm on secure functionevaluation”, Computer Security Symposium 2011, 2011

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

In the secret sorting technique described in Non-patent Literature 1,production of random ID columns and secret random permutation arerepeatedly executed in sequence. Thus, there is a problem in which thenumber of communication stages is large.

An object of the present invention is to reduce the number ofcommunication stages required for secret sorting and perform secretcalculation including secret sorting at high speed.

Means to Solve the Problems

In order to solve the above-described problems, a secret calculationmethod according to one aspect of the present invention is a secretcalculation method in which sort permutation σπ^(−i) _(L) for performingalignment of a value column is generated by inputting a set composed ofa secret sharing value [v{right arrow over ( )}] of a column k{rightarrow over ( )} including in pieces of keys k₀, . . . , k_(m−1) having Lbits and a secret sharing value [v{right arrow over ( )}] of the columnv{right arrow over ( )} including in pieces of values v₀, . . . ,v_(m−1), and which includes a permutation data generation step in whicha permutation data generation unit generates permutation data <π_(i)>and <π′_(i)> so as to generate permutation data <π_(L)> with respect toi=1, . . . , L−1, a random ID column generation step in which a randomID column generation unit generates a random ID column [r{right arrowover ( )}_(i)] which does not include mutually-overlapped values so asto generate a random ID column [r{right arrow over ( )}_(L)] which doesnot include mutually-overlapped values with respect to i=1, . . . , L−1,a secret random permutation step in which a secret random permutationunit performs secret random permutation of a set composed of a random IDcolumn [r{right arrow over ( )}_(i−1)], a key column [k{right arrow over( )}_(i)], and the random ID column [r{right arrow over ( )}_(i)] withthe permutation data <π_(i)> so as to generate a set composed of apost-permutation random ID column π_(i)r{right arrow over ( )}_(i−1), apost-permutation key column [π_(i)k{right arrow over ( )}_(i)], and apost-permutation random ID column [π_(i)r{right arrow over ( )}_(i)] andperforms secret random permutation of a random ID column [r{right arrowover ( )}_(L−1)] with the permutation data <π_(L)> so as to generate apost-permutation random ID column π_(L)r{right arrow over ( )}_(L−1)with respect to i=1, . . . , L−1, a flag creation step in which a flagcreation unit determines whether or not k_(j)=h is satisfied withrespect to a key [k_(j)]=([k_(j,0)], . . . , [k_(j,L−1)]) in cases ofj=0, . . . , m−1 and h=0, . . . , L−1 so as to set a flag [f_(j,h)], anorder table creation step in which an order table creation unit createsan order table [s{right arrow over ( )}:=(s₀, . . . , s_(m−1))], inwhich an order of each of the keys k₀, . . . , k_(m−1) in an ascendingorder is set, by using the flag [f_(j,h)], and a sort permutationgeneration step in which a sort permutation generation unit performspermutation of the random ID column [r{right arrow over ( )}_(i)] by apermutation function σ_(i) so as to generate a post-permutation randomID column [σ_(i)r{right arrow over ( )}_(i)] with respect to i=0, . . ., L−1, performs secret random permutation of an order table [s{rightarrow over ( )}] and the post-permutation random ID column [σ_(i)r{rightarrow over ( )}_(i)] with the permutation data <π′_(i)> so as togenerate a post-permutation order table π′_(i)s{right arrow over ( )}and a post-permutation random ID column π′_(i)σ_(i)r{right arrow over ()}_(i), performs alignment of the post-permutation random ID columnπ′_(i)σ_(i)r{right arrow over ( )}_(i) based on the post-permutationorder table π′_(i)s{right arrow over ( )} so as to generate apost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i), setsa permutation function σ_(i+1)=s{right arrow over ( )}⁻¹σ_(i), equallycouples a set composed of a post-permutation random ID columnπ_(i+1)r{right arrow over ( )}_(i), a post-permutation key column[π_(i+1)k{right arrow over ( )}_(i+1)], and a post-permutation random IDcolumn [π_(i+1)r{right arrow over ( )}_(i+1)] with the post-alignmentrandom ID column σ_(i+1)r{right arrow over ( )}_(i) by using thepost-permutation random ID column π_(i+1)r{right arrow over ( )}_(i) asa key with respect to i=0, . . . , L−2, generates a set composed of thepost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i), apost-alignment key column [σ_(i+1)k{right arrow over ( )}_(i+1)], and apost-alignment random ID column [σ_(i+1)r{right arrow over ( )}_(i+1)],and equally couples the post-permutation random ID column π_(L)r{rightarrow over ( )}_(L−1) with a post-alignment random ID columnσ_(L)r{right arrow over ( )}_(L−1) so as to generate sort permutationσπ⁻¹ _(L).

A secret calculation method according to another aspect of the presentinvention is a secret calculation method in which a post-alignment valuecolumn [σv{right arrow over ( )}]^(V) is generated by inputting a setcomposed of a secret sharing value [k{right arrow over ( )}] of a columnk{right arrow over ( )} including in pieces of keys k₀, . . . , k_(m−1)having L bits and a secret sharing value [v{right arrow over ( )}] ofthe column v{right arrow over ( )} including in pieces of values v₀, . .. , v_(m−1), and which includes a permutation data generation step inwhich a permutation data generation unit generates permutation data<π_(i)> and <π′_(i)> so as to generate permutation data <π_(L)> withrespect to i=1, . . . , L−1, a random ID column generation step in whicha random ID column generation unit generates a random ID column [r{rightarrow over ( )}_(i)] which does not include mutually-overlapped valuesso as to generate a random ID column [r{right arrow over ( )}_(L)] whichdoes not include mutually-overlapped values with respect to i=1, . . . ,L−1, a secret random permutation step in which a secret randompermutation unit performs secret random permutation of a set composed ofa random TD column a key column [k{right arrow over ( )}_(i)], and therandom ID column [r{right arrow over ( )}_(i)] with the permutation data<π_(i)> so as to generate a set composed of a post-permutation random IDcolumn π_(i)r{right arrow over ( )}_(i−1), a post-permutation key column[π_(i)k{right arrow over ( )}_(i)], and a post-permutation random IDcolumn [π_(i)r{right arrow over ( )}_(i)] and performs secret randompermutation of a random ID column [r{right arrow over ( )}_(L−1)] and avalue column [v{right arrow over ( )}]^(V) with the permutation data<π_(L)> so as to generate a post-permutation random ID columnπ_(L)r{right arrow over ( )}_(L−1) and a post-permutation value column[π_(L)v{right arrow over ( )}]^(V) with respect to i=1, . . . , L−1, aflag creation step in which a flag creation unit determines whether ornot k_(j)=h is satisfied with respect to a key [k_(j)]=([k_(j,0)], . . ., [k_(j,L−1)]) in cases of j=0, . . . , m−1 and h=0, . . . , L−1 so asto set a flag [f_(j,h)], an order table creation step in which an ordertable creation unit creates an order table [s{right arrow over ()}:=(s₀, . . . , s_(m−1)], in which an order of each of the keys k₀, . .. , k_(m−1) in an ascending order is set, by using the flag [f_(j,h)],and an alignment step in which an alignment unit performs permutation ofthe random ID column [r{right arrow over ( )}_(i)] by a permutationfunction σ_(i) so as to generate a post-permutation random ID column[σ_(i)r{right arrow over ( )}_(i)] with respect to i=0, . . . , L−1,performs secret random permutation of an order table [s{right arrow over( )}] and the post-permutation random ID column [σ_(i)r{right arrow over( )}_(i)] with the permutation data <π′_(i)> so as to generate apost-permutation order table π′_(i)s{right arrow over ( )} and apost-permutation random ID column π′_(i)σ_(i)r{right arrow over ()}_(i), performs alignment of the post-permutation random ID columnπ′_(i)σ_(i)r{right arrow over ( )}_(i) based on the post-permutationorder table π′_(i)s{right arrow over ( )} so as to generate apost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i), setsa permutation function σ_(i+1)=s{right arrow over ( )}⁻¹σ_(i), equallycouples a set composed of a post-permutation random ID columnπ_(i+1)r{right arrow over ( )}_(i), a post-permutation key column[π_(i+1)k{right arrow over ( )}_(i+1)], and a post-permutation random IDcolumn [π_(i+1)r{right arrow over ( )}_(i+1)] with the post-alignmentrandom ID column σ_(i+1)r{right arrow over ( )}_(i) by using thepost-permutation random ID column π_(i+1)r{right arrow over ( )}_(i) asa key with respect to i=0, . . . , L−2, generates a set composed of thepost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i), apost-alignment key column [σ_(i+1)k{right arrow over ( )}_(i+1)], and apost-alignment random ID column [σ_(i+1)r{right arrow over ( )}_(i+1)],and equally couples a set composed of the post-permutation random IDcolumn π_(L)r{right arrow over ( )}_(L−1) and the post-permutation valuecolumn [π_(L)v{right arrow over ( )}]^(V) with a post-alignment randomID column σ_(L)r{right arrow over ( )}_(L−1) by using thepost-permutation random ID column π_(L)r{right arrow over ( )}_(L−1) asa key so as to generate the post-alignment value column [σv{right arrowover ( )}]^(V).

Effects of the Invention

According to the secret calculation technique of the present invention,the number of communication stages in performing of secret sorting canbe reduced. Accordingly, secret calculation including secret sorting canbe executed at high speed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates the functional configuration of a secret calculationsystem.

FIG. 2 illustrates the functional configuration of a sorting deviceaccording to a first embodiment.

FIG. 3 illustrates a processing flow of a secret calculation methodaccording to the first embodiment.

FIG. 4 illustrates the functional configuration of a sorting deviceaccording to a second embodiment.

FIG. 5 illustrates a processing flow of a secret calculation methodaccording to the second embodiment.

FIG. 6 illustrates the functional configuration of a sorting deviceaccording to a third embodiment.

FIG. 7 illustrates a processing flow of a secret calculation methodaccording to the third embodiment.

FIG. 8 illustrates the functional configuration of a sorting deviceaccording to a fourth embodiment.

FIG. 9 illustrates a processing flow of a secret calculation methodaccording to the fourth embodiment.

DETAILED DESCRIPTION OF THE EMBODIMENT

Before provision of the description of embodiments, notation and termsused in this specification are defined.

[Notation]

p represents a party possessing shares.

P=(p₀, . . . , p_(n−1)) represents a collection of the whole of nparties possessing shares.

ρ=(p₀, . . . , p_(k−1)) represents a collection of k party groupsexecuting permutation processing.

[x] represents a (k,n)-secret sharing value of the plane text xεG. Here,G represents a commutative group. The (k,n)-secret sharing valuerepresents a set obtained by collecting all shares which are obtained bydistributing the plain text x by the (k,n)-secret sharing. Secretsharing values [x] are normally possessed in a manner to be distributedin n party collection P, so that all secret sharing values [x] are notpossessed at one place and therefore, secret sharing values [x] arevirtual.

[x]^(ID) represents a secret sharing value, which can express in kindsof IDs, in a space.

[x]^(O) represents a secret sharing value, which can express m kinds oforder collections, in a space.

[x]^(B) represents a secret sharing value of a bit.

[x]^(V) represents a secret sharing value, which can express a value ofa sorting object, in a space.

[x]^(K) represents a secret sharing value, which can express a part ofkeys for determining a sorting order, in a space. The whole key space isexpressed by a combination of L pieces of [x]^(K) (a case where [x]^(K)is a secret sharing value in a bit column and the key has L bits, forexample).

x

^(ρ) represents an additive secret sharing value of the plain text xεG.The additive secret sharing value represents a set obtained bycollecting all shares which are obtained by distributing the plain textx by additive secret sharing.

x

^(ρ) _(p) represents a share possessed by the party pεp in the additivesecret sharing value

x

^(ρ).

x{right arrow over ( )}

^(ρ) represents a column of additive secret sharing values by which acolumn of a plain text becomes x{right arrow over ( )}.

G

^(ρ) represents a collection of the whole of additive secret sharingvalues in the commutative group G.

<π> represents a permutation data secret sharing value of permutationdata π.

Embodiments of the present invention will be described in detail below.Here, it should be noted that constituent portions mutually having thesame functions are given the same reference numerals in the drawings andduplicate description thereof is omitted.

First Embodiment

Referring to FIG. 1, a configuration example of a secret calculationsystem according to a first embodiment is described. The secretcalculation system includes n (≧2) pieces of sorting devices 1 and anetwork 9. Each of the sorting devices 1 ₁, . . . , 1 _(n) is connectedto the network 9. It is sufficient that the network 9 is configured sothat the sorting devices 1 ₁, . . . , 1 _(n) can communicate with eachother and the network 9 may be composed of an internet, a LAN, a WAN, orthe like, for example. Further, the sorting devices 1 ₁, . . . , 1 _(n)do not necessarily have to be able to mutually communicate online viathe network 9. For example, such configuration may be employed thatinformation outputted from a certain sorting device 1 _(i) (1≦i≦n) isstored in a portable recording medium such as a USB memory and isinputted offline into another sorting device 1 _(j) (1≦j≦n, i≠j) fromthe portable recording medium.

A configuration example of the sorting device 1 included in the secretcalculation system is described with reference to FIG. 2. A sortingdevice 1 includes a permutation data generation unit 10, a random IDcolumn generation unit 12, a secret random permutation unit 14, a flagcreation unit 16, an order table creation unit 18, a sort permutationgeneration unit 20, and a value alignment unit 22. The sorting device 1is a special device which is configured by reading a special programinto a known or dedicated computer including a central processing unit(CPU), a main storage device (a random access memory, RAM), and thelike, for example. The sorting device 1 executes each processing underthe control of the central processing unit, for example. Data inputtedinto the sorting device 1 and data obtained in each processing arestored in the main storage device, for example, and the data stored inthe main storage device is read when needed so as to be used for otherprocessing.

Referring to FIG. 3, one example of a processing flow of a secretcalculation method which is executed by the secret calculation systemaccording to the first embodiment is described in accordance with anorder of a procedure which is actually performed.

The sorting device 1 inputs a set ([k{right arrow over ()}]^(K),[v{right arrow over ( )}]^(V)) composed of the secret sharingvalue [k{right arrow over ( )}]^(K) of the key column k{right arrow over( )} and the secret sharing value [v{right arrow over ( )}]^(V) of thevalue column v{right arrow over ( )} and outputs the secret sharingvalue [σv{right arrow over ( )}]^(V) of the post-alignment value columnσv{right arrow over ( )}. Here, σ represents a permutation functionrepresenting sorting. The key column k{right arrow over ( )} is a columnincluding in pieces of keys k₀, . . . , k_(m−1). The bit length of eachkey k_(i) is L. That is, each key k_(i) can be expressed ask_(i)=(k_(i,0), . . . , k_(i,L−1)). Columns of distributed values ofrespective bits of the key column k{right arrow over ( )} are expressedas [k{right arrow over ( )}₀]^(K), [k{right arrow over ( )}_(L−1)]^(K).The value column v{right arrow over ( )} represents a column includingin pieces of values v₀, . . . , v_(m−1). Each value v_(i) is at leastone value or may be a combination of a plurality of values. The keycolumn k{right arrow over ( )} and the value column v{right arrow over ()} may be identical to each other.

In step S10, the permutation data generation unit 10 parallelly andsimultaneously generates permutation data <π_(i)> and <π′_(i)> withrespect to i=0, . . . , L−1. Subsequently, permutation data <π_(L)> isgenerated.

In step S12, the random ID column generation unit 12 parallelly andsimultaneously generates the random ID column [r{right arrow over ()}_(i)]^(ID) which does not include mutually-overlapped values withrespect to i=0, . . . , L−1. Subsequently, the random ID column [r{rightarrow over ( )}]^(ID) which does not mutually include overlapped values.

In step S14, the secret random permutation unit 14 parallelly andsimultaneously performs secret random permutation of the set ([r{rightarrow over ( )}_(i−1)]^(ID),[k{right arrow over ( )}_(i)]^(K),[r{rightarrow over ( )}_(i)]^(ID)) composed of the random ID column [r{rightarrow over ( )}_(i−1)]^(ID), the key column [k{right arrow over ()}_(i)]^(K), and the random ID column [r{right arrow over ( )}_(i)]^(ID)by the permutation data <π_(i)> with respect to i=1, . . . , L−1 so asto generate the set (π_(i)r{right arrow over ( )}_(i−1), [π_(i)k{rightarrow over ( )}_(i)]^(K),[π_(i)r{right arrow over ( )}_(i)]^(ID))composed of the post-permutation random ID column π_(i)r{right arrowover ( )}_(i−1), the post-permutation key column [π_(i)k{right arrowover ( )}_(i)]^(K), and the post-permutation random ID column[π_(i)r{right arrow over ( )}_(i)]^(ID). Subsequently, secret randompermutation of the random ID column [r{right arrow over ( )}_(L−1)]^(ID)is performed with the permutation data <π_(L)> so as to generate thepost-permutation random ID column π_(L)r{right arrow over ( )}_(L−1).

As the method of the secret random permutation, arbitrary secret randompermutation can be employed. For example, the method described inReference Literature 1 below can be employed. Further, permutationperformed by a permutation circuit is applicable as well.

-   [Reference Literature 1] Koki Hamada, Dai Ikarashi, Koji Chida,    Katsumi Takahashi, “A Random Permutation Protocol on Three-Party    Secure Function Evaluation”, Computer Security Symposium 2010, 2010

Further, the secret random permutation can be also performed by using1-additive re-sharing protocol described below. The 1-additivere-sharing protocol is secret random permutation in which dataprocessing is performed in accordance with the following procedures withan input of secret sharing values

a

^(ρ)ε

G

^(ρ) which are possessed by the k party group ρ=p₀, . . . , p_(k−1) soas to output secret sharing values

a

^(ρ′)ε

G

^(ρ′) which are possessed by another k party group ρ′=p₁, . . . , p_(k).In the 1-additive re-sharing protocol, only one party is differentbetween the k party group ρ and the k party group ρ′, so that thecommunication volume and the number of communication stages can bereduced and thus, the secret random permutation can be performedeffectively. However, it should be noted that roles of the parties areappropriately changed.

First, the party p₀ shares the random number r_(i)εG with the partyp_(i) with respect to i=1, . . . , k−1. Then, the party p₀ calculatesthe secret sharing value

a

^(ρ′) _(pk) with the following formula so as to send the

a

^(ρ′) _(pk) to the party p_(k).

${\langle{\langle a\rangle}\rangle}_{p_{k}}^{\rho^{\prime}} = {{\langle{\langle a\rangle}\rangle}_{p_{0}}^{\rho} - {\sum\limits_{1 \leq i < k}r_{i}}}$

The party p_(k) outputs the received

a

^(ρ′) _(pk). The party p_(i) (i=1, . . . , k−1) calculates the secretsharing value

a

^(ρ′) _(pi) with the following formula so as to output the secretsharing value

a

^(ρ′) _(pi).

a

_(p) _(i) ^(ρ′) =

a

_(p) _(i) ^(ρ) +r _(i)

In step S16, the flag creation unit 16 determines whether or not k_(j)=his satisfied with respect to the key [k_(j)]^(K)=([k_(j,0)]^(B), . . . ,[k_(j,L−1)]^(B)) in the cases of j=0, . . . , m−1 and h=0, . . . , L−1so as to parallelly and simultaneously set the flag [f_(j,h)].Specifically, in the case of k_(j)=h, the flag [f_(j,h)]^(B)=[1]^(B) isset. In the case of k_(j)≠h, the flag [f_(j,h)]^(B)=[0]^(B) is set. Anequal sign determination circuit may be used for setting of a flag.

Subsequently, the flag creation unit 16 converts the flag [f_(j,h)]^(B)into the flag [f_(j,h)]^(O). As a method for converting the secretsharing value [a]^(B) of the value a into the secret sharing value[a]^(O), the conversion may be performed as follows in the case ofsecret sharing in which [a]^(B) includes Z₂ as a partial group (forexample, reproduction secret sharing of mod2, Shamir secret sharing onan extension field of 2, or the like). First, the party p_(i) generatesthe random number r_(i) so as to generate the secret sharing values[r_(i)]^(B) and [r_(i)]^(O) by two types of secret sharing. Then, thefollowing formulas are calculated by secret calculation so as togenerate the secret sharing values [r]^(B) and [r]^(O) of the randomnumber r.

[r] ^(B):=⊕_(i≦n) [r _(i)]^(B),

[r] ^(O):=⊕_(i<n) [r _(i)]^(O)

Subsequently, the exclusive OR [a′=a XOR r]^(B) of the value a and thevalue r is calculated by using the secret sharing value [a]^(B) and thesecret sharing value [r]^(B) so as to restore the value a′. Then, theexclusive OR [a]^(O)=a′ XOR [r]^(O) of the value a′ and the secretsharing value [r]^(O) is calculated. That is, in the case of a XOR r=0,[a]^(O):=[r]^(O) is obtained. In the case of a XOR r=1,[a]^(O):=1−[r]^(O) is obtained.

In step S18, the order table creation unit 18 creates the order table[s{right arrow over ( )}]^(O) by using the flag [f_(j,h)]^(O).[S]^(O)=[0]^(O) is first set. Then,[s_(j,h)]^(O)=[S_(j,h−1)]^(O)+[f_(j,h)]^(O) (here, each integersatisfying 0≦h<2^(L)) is set with respect to j=0, . . . , m−1.Subsequently, the following formula is parallelly and simultaneouslycalculated with respect to j=0, . . . , m−1 so as to set the order table[s{right arrow over ( )}:=(s₀, . . . , s_(m−1))]^(O). The created ordertable [s{right arrow over ( )}]^(O) becomes a vector in which an orderof each element of the key column k{right arrow over ( )}=k₀, . . . ,k_(m−1) in an ascending order is set.

$\left\lbrack s_{j} \right\rbrack^{O} = {\sum\limits_{h < L}{\left\lbrack s_{j,h} \right\rbrack^{O}\left\lbrack f_{j,h} \right\rbrack}^{O}}$

In step S20, the sort permutation generation unit 20 generates the sortpermutation σπ⁻¹ _(L) by using the order table [s{right arrow over ()}]^(O), the random ID column [r{right arrow over ( )}_(i)], thepermutation data <π′_(i)>, the post-permutation key column [π_(i)k{rightarrow over ( )}_(i)]^(K), and the post-permutation random ID column[σ_(i)r{right arrow over ( )}_(i)]^(ID). The permutation function σ₀=Iis first set. Here, I represents identical permutation. Then,permutation of the random ID column [r{right arrow over ( )}_(i)]^(ID)is performed by the permutation function σ_(i) with respect to i=0, . .. , L−1 so as to generate the post-permutation random ID column[σ_(i)r{right arrow over ( )}_(i)]^(ID). Subsequently, secret randompermutation of the order table [s{right arrow over ( )}]^(O) and thepost-permutation random ID column [σ_(i)r{right arrow over ()}_(i)]^(ID) performed with the permutation data <π′_(i)> so as togenerate the post-permutation order table π′_(i)s{right arrow over ( )}and the post-permutation random ID column π′_(i)σ_(i)r{right arrow over( )}_(i). Then, alignment of the post-permutation random ID columnπ′_(i)σ_(i)r{right arrow over ( )}_(i) is performed based on thepost-permutation order table π′_(i)s{right arrow over ( )} so as togenerate the post-alignment random ID column σ_(i+1)r{right arrow over ()}_(i). Here, the permutation function is expressed as σ_(i+1)=s{rightarrow over ( )}⁻¹σ_(i). Further, the set (π_(i+1)r{right arrow over ()}_(i),[π_(i+1)k{right arrow over ( )}_(i+1)]^(K),[π_(i+1)r{right arrowover ( )}_(i+1)]^(ID)) composed of the post-permutation random ID columnπ_(i+1)r{right arrow over ( )}_(i), the post-permutation key column[π_(i+1)k{right arrow over ( )}_(i+1)]^(K), and the post-permutationrandom ID column [π_(i+1)r{right arrow over ( )}_(i+1)]^(ID) and thepost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i) areequally coupled with each other by using the post-permutation random IDcolumn π_(i+1)r{right arrow over ( )}_(i) as a key with respect to i=0,. . . , L−2 so as to generate the set (σ_(i+1)r{right arrow over ()}_(i),[σ_(i+1)k{right arrow over ( )}_(i+1)]^(K),[σ_(i+1)r{right arrowover ( )}_(i+1)]^(ID)) composed of the post-alignment random ID columnσ_(i+1)r{right arrow over ( )}_(i), the post-alignment key column[σ_(i+1)k{right arrow over ( )}_(i+1)]^(K), and the post-alignmentrandom ID column [σ_(i+1)r{right arrow over ( )}_(i+1)]^(ID).Subsequently, the post-permutation random ID column π_(L)r{right arrowover ( )}_(L−1) and the post-alignment random ID column σ_(L)r{rightarrow over ( )}_(L−1) are equally coupled with each other so as togenerate the sort permutation σπ⁻ _(L). Here, a permutation function isexpressed as σ=σ_(L).

In step S22, the value alignment unit 22 performs secret randompermutation of the value column [v{right arrow over ( )}]^(V) by thepermutation data <π_(L)> so as to generate the post-permutation valuecolumn [π_(L)v{right arrow over ( )}]^(V). Subsequently, alignment ofthe post-permutation value column [π_(L)v{right arrow over ( )}]^(V) isperformed based on the sort permutation σπ⁻¹ _(L) so as to generate thepost-alignment value column [σv{right arrow over ( )}].

In the conventional secret sorting technique, generation of a random IDcolumn and secret random permutation have been performed in sequence. Inthe secret calculation system according to the first embodiment,required pieces of random ID columns are first generated so as to beable to parallelly and simultaneously perform the secret randompermutation using the random ID columns. Further, flags required forcreation of an order table are parallelly and simultaneously created.Accordingly, the number of communication stages in secret sorting can bereduced and secret calculation including secret sorting can be executedat high speed.

Second Embodiment

A configuration example of a sorting device 2 according to a secondembodiment is described with reference to FIG. 4. The sorting device 2includes the permutation data generation unit 10, the random ID columngeneration unit 12, the flag creation unit 16, and the order tablecreation unit 18 in a similar manner to the sorting device 1 accordingto the first embodiment, and further includes a secret randompermutation unit 24 and an alignment unit 26.

Referring to FIG. 5, one example of a processing flow of a secretcalculation method which is executed by a secret calculation systemaccording to the second embodiment is described in accordance with anorder of a procedure which is actually performed.

Processing from step S10 to step S12 is same as that in the secretcalculation method according to the fist embodiment.

In step S24, the secret random permutation unit 24 parallelly andsimultaneously performs secret random permutation of the set ([r{rightarrow over ( )}_(i−1)]^(ID),[k{right arrow over ( )}_(i)]^(K),[r{rightarrow over ( )}_(i)]^(ID)) composed of the random ID column [r{rightarrow over ( )}_(i−1)]^(ID), the key column [k{right arrow over ()}_(i)]^(K), and the random ID column [r{right arrow over ( )}_(i)]^(ID)with the permutation data <π_(i)> with respect to i=1, . . . , L−1 so asto generate the set (π_(i)r{right arrow over ( )}_(i−1),[π_(i)k{rightarrow over ( )}_(i)]^(K),[π_(i)r{right arrow over ( )}_(i)]^(ID))composed of the post-permutation random ID column π_(i)r{right arrowover ( )}_(i−1), the post-permutation key column [π_(i)k{right arrowover ( )}_(i)]^(K), and the post-permutation random ID column[π_(i)r{right arrow over ( )}_(i)]^(ID). Subsequently, secret randompermutation of the set ([r{right arrow over ( )}_(L−1)]^(ID),[v{rightarrow over ( )}]^(V)) composed of the random ID column [r{right arrowover ( )}_(L−1)]^(ID) and the value column [v{right arrow over ( )}]^(V)is performed with the permutation data <π_(L)> so as to generate the set(π_(L)r{right arrow over ( )}_(L−1),[π_(L)v{right arrow over ( )}]^(V))composed of the post-permutation random ID column π_(L)r{right arrowover ( )}_(L−1) and the post-permutation value column [π_(L)v{rightarrow over ( )}]^(V).

Processing from step S16 to step S18 is same as that of the secretcalculation method according to the first embodiment.

In step S26, the alignment unit 26 generates the post-alignment valuecolumn [σv{right arrow over ( )}] by using the order table [s{rightarrow over ( )}]^(O), the random ID column [r{right arrow over ()}_(i)], the permutation data <π′_(i)>, the post-permutation key column[π_(i)k{right arrow over ( )}_(i)]^(K), the post-permutation random IDcolumn [σ_(i)r{right arrow over ( )}_(i)]^(ID), and the post-permutationvalue column [π_(L)v{right arrow over ( )}]^(V). The permutationfunction σ₀=I is first set. Here, I represents identical permutation.Then, permutation of the random ID column [r{right arrow over ()}_(i)]^(ID) is performed by the permutation function σ_(i) with respectto i=0, . . . , L−1 so as to generate the post-permutation random IDcolumn [σ_(i)r{right arrow over ( )}_(i)]^(ID). Subsequently, secretrandom permutation of the order table [s{right arrow over ( )}]^(O) andthe post-permutation random ID column [σ_(i)r{right arrow over ()}_(i)]^(ID) is performed with the permutation data <π′_(i)> so as togenerate the post-permutation order table π′_(i)s{right arrow over ( )}and the post-permutation random ID column π′_(i)σ_(i)r{right arrow over( )}_(i). Then, alignment of the post-permutation random ID columnπ′_(i)σ_(i)r{right arrow over ( )}_(i) is performed based on thepost-permutation order table π′_(i)s{right arrow over ( )} so as togenerate the post-alignment random ID column σ_(i+1)r{right arrow over ()}_(i). Here, the permutation function is expressed as σ_(i+1)=s{rightarrow over ( )}⁻¹σ_(i). Further, the set (π_(i+1)r{right arrow over ()}_(i),[π_(i+1)k{right arrow over ( )}_(i+1)]^(K),[π_(i+1)r{right arrowover ( )}_(i+1)]^(ID)) composed of the post-permutation random ID columnπ_(i+1)r{right arrow over ( )}_(i), the post-permutation key column[π_(i+1)k{right arrow over ( )}_(i+1)]^(K), and the post-permutationrandom ID column [π_(i+1)r{right arrow over ( )}_(i+1)]^(ID) and thepost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i) areequally coupled with each other by using the post-permutation random IDcolumn π_(i+1)r{right arrow over ( )}_(i) as a key with respect to i=0,. . . , L−2 so as to generate the set (σ_(i+1)r{right arrow over ()}_(i),[σ_(i+1)k{right arrow over ( )}_(i+1)]^(K),[σ_(i+1)r{right arrowover ( )}_(i+1)]^(ID)) composed of the post-alignment random ID columnσ_(i+1)r{right arrow over ( )}_(i), the post-alignment key column[σ_(i+1)k{right arrow over ( )}_(i+1)]^(K), and the post-alignmentrandom ID column [σ_(i+1)r{right arrow over ( )}_(i+1)]^(ID).Subsequently, the set (π_(L)r{right arrow over ( )}_(L−1),[π_(L)v{rightarrow over ( )}]^(V)) composed of the post-permutation random ID columnπ_(L)r{right arrow over ( )}_(L−1) and the post-permutation value column[π_(L)v{right arrow over ( )}]^(V) and the post-alignment random IDcolumn σ_(L)r{right arrow over ( )}_(L−1) are equally coupled with eachother by using the post-permutation random ID column π_(L)r{right arrowover ( )}_(L−1) as a key so as to generate the post-alignment valuecolumn [σv{right arrow over ( )}]^(V). Here, a permutation function isexpressed as σ=σ_(L).

In the secret calculation system according to the first embodiment, theprocessing for generating the sort permutation σπ⁻¹ _(L) based on thekey column [k{right arrow over ( )}]^(K) and the processing forobtaining the post-alignment value column [σv{right arrow over ( )}]^(V)based on the sort permutation σπ⁻¹ _(L) are separated from each other.According to such configuration, processing by the value alignment unitcan be omitted in the case where the key column k{right arrow over ( )}and the value column v{right arrow over ( )} are identical to each otherand only the key column k{right arrow over ( )} is desired to be sorted,for example. In the secret calculation system according to the secondembodiment, the secret random permutation unit simultaneously performssecret random permutation of the value column [v{right arrow over ()}]^(V) with the permutation data <π_(L)> which is the same data for therandom ID column [r{right arrow over ( )}_(L−1)]^(ID). Therefore, thenumber of communication stages can be further reduced in the case whereboth of the key column k{right arrow over ( )} and the value columnv{right arrow over ( )} are desired to be sorted.

Third Embodiment

A configuration example of a sorting device 3 according to a thirdembodiment is described with reference to FIG. 6. The sorting device 3includes the permutation data generation unit 10, the random ID columngeneration unit 12, the secret random permutation unit 14, the ordertable creation unit 18, the sort permutation generation unit 20, and thevalue alignment unit 22 in a similar manner to the sorting device 1according to the first embodiment, and further includes a flag creationunit 28. The configuration of the third embodiment is applicable to thesecond embodiment. That is, such configuration may be employed that thepermutation data generation unit 10, the random ID column generationunit 12, the secret random permutation unit 24, the order table creationunit 18, and the alignment unit 26 are included in a similar manner tothe sorting device 2 according to the second embodiment, and the flagcreation unit 28 is further included.

Referring to FIG. 7, one example of a processing flow of a secretcalculation method which is executed by a secret calculation systemaccording to the third embodiment is described in accordance with anorder of a procedure which is actually performed.

In the sorting device 1 according to the first embodiment and thesorting device 2 according to the second embodiment, the secret sharingvalue [k{right arrow over ( )}]^(K) of the key column k{right arrow over( )} to be inputted is a secret sharing value of a bit. That is, the key[k_(j)]^(K) can be expressed as the key [k_(j)]^(K)=([k_(j,0)]^(B), . .. , [k_(j,L−1)]^(B)) with respect to j=0, . . . , m−1. On the otherhand, in the sorting device 3 according to the third embodiment, thesecret sharing value [k{right arrow over ( )}]^(K) of the key columnk{right arrow over ( )} to be inputted is a secret sharing value, whichcan express in kinds of order collections, in a space. That is, the key[k_(j)]^(K) can be expressed as the key [k_(j)]^(K)=([k_(j,0)]^(O), . .. , [k_(j,L−1)]^(O)) with respect to j=0, . . . , m−1.

Processing from step S10 to step S14 is same as that of the secretcalculation method according to the first embodiment.

In step S28, the flag creation unit 28 determines whether or not k_(j)=his satisfied with respect to the key [k_(j)]^(K)=([k_(j,0)]^(O), . . . ,[k_(j,L−1)]^(O)) in cases of j=0, . . . , m−1 and h=0, . . . , L−1 so asto parallelly and simultaneously set the flag [f_(j,h)]. Specifically,in the case of k_(j)=h, the flag [f_(j,h)]^(O)=[1]^(O) is set. In thecase of k_(j)≠h, the flag [f_(j,h)]^(O)=[0]^(O) is set. An equal signdetermination circuit may be used for setting of a flag.

Processing from step S18 to step S22 is same as that of the secretcalculation method according to the first embodiment.

In the secret calculation system according to the first embodiment, theflag [f_(j,h)]^(B) is set from the secret sharing values [k_(j,0)]^(B),. . . , [k_(j,L−1)]^(B) which are obtained by performing secret sharingof the key k_(j) for each bit, so that the flag [f_(j,h)]^(B) needs tobe converted into the flag [f_(j,h]) ^(O). In the secret calculationsystem according to the third embodiment, respective bits of the keyk_(j) are dealt as the secret sharing values [k_(j,0)]^(O), . . .[k_(j,L−1)]^(O) in a wider space and the flag [f_(j,h)]^(O) are directlyset, so that conversion is not necessary. Accordingly, the configurationis simpler than that in the first embodiment and thereforeimplementation is easy. However, the calculation amount is largerbecause the space used for calculation is wider, so that calculation isperformed more efficiently in the first embodiment.

Fourth Embodiment

A fourth embodiment enables detection of tampering in secret calculationwith respect to secret sorting of this invention. As a secret tamperingdetection method for detecting tampering in secret calculation, a methoddescribed in Reference Literature 2 below is proposed. In ReferenceLiterature 2, tampering detection in secret calculation is performed inthree phases. In a randomization phase, a distributed value is convertedinto a randomized distributed value of which correctness can beverified. In a calculation phase, desired secret calculation is executedby using an operation, which is composed of the semi-honest operation,for a randomized distributed value. At this time, the calculation isperformed while collecting randomized distributed values which will berequired for calculation of a checksum in the following correctnessverification phase. In the correctness verification phase, checksums arecollectively calculated with respect to the randomized distributedvalues which are collected in the calculation phase so as to performcorrectness verification. When the checksum is correct, a calculationresult obtained in the calculation phase is outputted. When the checksumis incorrect, only the fact of incorrectness is outputted withoutoutputting the calculation result.

-   [Reference Literature 2] Dai Ikarashi, Koji Chida, Koki Hamada, Ryo    Kikuchi, “An Extremely Efficient Secret-sharing-based Multi-Party    Computation against Malicious Adversary”, SCIS 2013, 2013.

However, in order to apply the method described in Reference Literature2, each operation executed in secret calculation needs to betamper-simulatable (Reference Literature 3).

-   [Reference Literature 3] D. Ikarashi, R. Kikuchi, K. Hamada, and K.    Chida, “Actively Private and Correct MPC Scheme in t<n/2 from    Passively Secure Schemes with Small Overhead”, IACR Cryptology    ePrint Archive, vol. 2014, p. 304, 2014

Therefore, in the fourth embodiment, such configuration example isdescribed that the secret tampering detection method described inReference Literature 2 is applied to secret sorting of the firstembodiment so that the above-mentioned condition is satisfied. Here, anexample in which the method is applied to the first embodiment isdescribed below, but the method is applicable to the second embodimentand the third embodiment as well based on a similar concept.

A configuration example of a sorting device 4 according to the fourthembodiment is described with reference to FIG. 8. The sorting device 4includes the permutation data generation unit 10, the random ID columngeneration unit 12, the secret random permutation unit 14, the flagcreation unit 16, the order table creation unit 18, and the valuealignment unit 22 in a similar manner to the sorting device 1 accordingto the first embodiment, and further includes a randomization unit 32, asort permutation generation unit 34, and a correctness verification unit36. The configuration of the fourth embodiment is also applicable to thesecond embodiment and the third embodiment. That is, such configurationmay be employed that the randomization unit 32 and the correctnessverification unit 36 are further included in addition to the constituentportions provided to the sorting device 2 according to the secondembodiment and the sorting device 3 according to the third embodimentand the sort permutation generation unit 34 is included instead of thesort permutation generation unit 20.

Referring to FIG. 9, one example of a processing flow of a secretcalculation method which is executed by the secret calculation systemaccording to the fourth embodiment is described in accordance with anorder of a procedure which is actually performed.

In step S32, the randomization unit 32 converts the set ([k{right arrowover ( )}]^(K),[v{right arrow over ( )}]^(V)) composed of thedistributed value [k{right arrow over ( )}]^(K) of the inputted keyk{right arrow over ( )} and the distributed value [v{right arrow over ()}]^(V) of the value v{right arrow over ( )} into a randomizeddistributed value. The randomized distributed value is the set([x],[xr]) composed of the distributed value [x] of the value xεR andthe distributed value [xr] of the integrated value xr of the value xεRand the random number rεA. Here, R represents a ring and A represents anassociative algebra on the ring R. The associative algebra is a joinedring and has a structure in a linear space on a certain field compatiblewith the ring. The associative algebra can be described such that avalue dealt in a vector space may be a ring instead of a field. The 0thcomponent ([x]) of the randomized distributed value is also referred toas the R component and the first component ([xr]) is also referred to asthe A component.

A random number used in generation of a randomized distributed value isgenerated such that a distributed value for one secret sharing isconverted into a distributed value for the other secret sharing so as toobtain an identical value of the random number in the case where aplurality of types of secret sharing on one ring are used. In thisformat conversion as well, tampering detection should be possible ortampering should be impossible. For example, a method which prohibitstampering conversion from replicated secret sharing into linear secretsharing is described in Reference Literature 4 below.

-   [Reference Literature 4] R. Cramer, I. Damgard, and Y. Ishai, “Share    conversion, pseudorandom secret-sharing and applications to secure    computation”, TCC, Vol. 3378 of Lecture Notes in Computer Science,    pp. 342-362, Springer, 2005.

From step S14 to step S18, the secret random permutation unit 14, theflag creation unit 16, and the order table creation unit 18 executepredetermined secret calculation while putting a randomized distributedvalue which is a calculation object and a randomized distributed valuewhich is a calculation result into a checksum C_(j) (j=0, . . . , J−1; Jrepresents the number of types of secret sharing) which is prepared foreach type of secret sharing.

In step S34, the sort permutation generation unit 34 uses a secretrandom permutation method by which tampering can be detected whenperforming secret random permutation of the order table [s{right arrowover ( )}]^(O) and the post-permutation random ID column [σ_(i)r{rightarrow over ( )}_(i)]^(ID) with the permutation data <π′_(i)>. This isbecause confidentiality may be violated in the case where the ordertable [s{right arrow over ( )}]^(O) and the post-permutation random IDcolumn [σ_(i)r{right arrow over ( )}_(i)]^(ID) are tampered. As therandom permutation method by which tampering can be detected, in suchrandom permutation method that a (k,n)-secret sharing value is convertedinto an additive secret sharing value and permutation and re-sharing arerepeated, for example, an input is converted into a randomizeddistributed value, a randomized distributed value is converted from anadditive secret sharing value into a (k,n)-secret sharing value so as tobe put into a checksum whenever one permutation is ended, andcorrectness verification similar to step S36 below is performed afterthe whole repeated permutation is ended. Here, it is possible to repeatthe acquisition of a checksum and the correctness verification atarbitrary timing in the random permutation. At this time, it issufficient to generate a randomized distributed value at least once withrespect to an input.

In step S36, the correctness verification unit 36 executes synchronousprocessing (SYNC) in which an action of waiting is performed until allsecret calculations for all secret sharing are ended. When the end ofall secret calculations for all secret sharing is detected, thechecksums C₀, . . . , C_(J−1) are verified by using the distributedvalues [r₀], . . . , [r_(J−1)] of the random values r₀, . . . , r_(J−1)which are used in the randomization unit 32 so as to verify correctnessof the post-alignment value column [σv{right arrow over ( )}]^(V) whichis obtained as a result of secret sorting. In the case where it isdetermined that there is no tempering as a result of the verification ofall of J pieces of checksums C₀, . . . , C_(J−1), the post-alignmentvalue column [σv{right arrow over ( )}]^(V) is outputted. In the casewhere it is determined that there is tempering, information representingthe presence of tampering (for example, “⊥” or the like) is outputted.

In the verification of a checksum, the distributed value [φ_(j)]obtained by multiplying a sum of the R components of randomizeddistributed values included in the checksum C_(j) by the distributedvalue [r_(j)] and the distributed value [ψ_(j)] which is a sum of the Acomponents of randomized distributed values included in the checksumC_(j) are calculated and the distributed value [δ_(j)]=[φ_(j)]−[ψ_(j)]obtained by subtracting the distributed value [ψ_(j)] from thedistributed value [φ_(j)] is restored. When all of the values δ₀, . . ., δ_(J−1) are 0, it is determined that there is no tampering in thewhole secret sorting. When any value δ_(j) is not 0, it is determinedthat tampering is performed in any operation in the secret sorting.

In the case where there are pieces of secret sharing on one ring among Jpieces of secret sharing, if correctness verification is performedcollectively to the extent possible, the number of disclosed values isreduced and consequently confidentiality can be further enhanced. Forexample, in the case where the α-th (α=0, . . . , J−1) secret sharingand the β-th (β=0, . . . , J−1, α≠β) secret sharing are pieces of secretsharing on one ring, the correctness verification is performed asfollows. First, the distributed value [φ_(α)] which is calculated fromthe checksum C_(α) as described above and the distributed value [ψ_(α)]which is calculated from the checksum C_(α) as described above arerespectively converted into the β-th secret sharing. Then, thedistributed value [δ]=([φ_(α)]+[φ_(β)])−([ψ_(α)]+[ψ_(β)]) which isobtained by subtracting the distributed value [ψ_(α)+ψ_(β)] which isobtained by adding the converted distributed value [ψ_(α)] and thedistributed value [ψ_(β)] which is calculated from the β-th checksumC_(β) in a similar mariner from the distributed value [φ_(α)+φ_(β)]which is obtained by adding the converted distributed value [φ_(α)] andthe distributed value [φ_(β)] which is calculated from the checksumC_(β) in a similar manner is restored. When the restored value δ is 0,it is determined that there is no tampering. When the restored value δis other than 0, it is determined that there is tampering. Thus, allcombinations of pieces of secret sharing on one ring are verified so asto verify that there is no tampering in the whole secret sorting. Theexample in which two pieces of secret sharing are secret sharing on onering is described in the present embodiment. However, correctnessverification can be performed by a similar method even in the case wherethree or more pieces of secret sharing are secret sharing on one ring.

The configuration as that of the present embodiment enables tamperingdetection and enhances security in the secret sorting of the presentinvention.

It is obvious that the present invention is not limited to theabove-described embodiments and alterations can be made as appropriatewithin a scope of the idea of the present invention. Various types ofprocessing which are described in the above embodiments may be executedin time series in accordance with the described order and may beexecuted in parallel or individually in accordance with the processingcapacity of the device performing the processing or in accordance withthe need.

[Program and Recording Medium]

When various types of processing functions in the devices described inthe above embodiments are implemented on a computer, the contents ofprocessing function to be contained in each device is written by aprogram. With this program executed on the computer, various types ofprocessing functions in the above-described devices are executed on thecomputer.

This program in which the contents of processing are written can berecorded in a computer-readable recording medium. The computer-readablerecording medium may be any medium such as a magnetic recording device,an optical disc, a magneto-optical recording medium, and a semiconductormemory.

Distribution of this program is implemented by sales, transfer, rental,and other transactions of a portable recording medium such as a DVD anda CD-ROM on which the program is recorded, for example. Furthermore,this program may be stored in a storage unit of a server computer andtransferred from the server computer to other computers via a network soas to be distributed.

A computer which executes such program first stores the program storedin a portable recording medium or transferred from a server computeronce in a storage unit of the computer, for example. When the processingis performed, the computer reads out the program stored in the recordingmedium of the computer and performs processing in accordance with theprogram thus read out. As another execution form of this program, thecomputer may directly read out the program from a portable recordingmedium and perform processing in accordance with the program.Furthermore, each time the program is transferred to the computer fromthe server computer, the computer may sequentially perform processing inaccordance with the received program. Alternatively, what is calledapplication service provider (ASP) type of services may be used toperform the processing described above, with which the program is nottransferred from the server computer to the computer and the processingfunction is realized only with execution instructions and resultacquisition. It should be noted that a program according to the presentembodiment includes information provided for processing performed byelectronic calculation equipment, which is equivalent to a program (suchas data which is not a direct instruction to the computer but has aproperty specifying the processing performed by the computer).

In the present embodiment, the present device is configured with apredetermined program executed on a computer. However, the presentdevice may be configured with at least part of these processing contentsrealized in a hardware manner.

1. A secret calculation method in which sort permutation σπ⁻¹ _(L) forperforming alignment of a value column v{right arrow over ( )} isgenerated by inputting a set composed of a secret sharing value [k{rightarrow over ( )}] of a column k{right arrow over ( )} including m piecesof keys k₀, . . . , k_(m−1) having L bits and a secret sharing value[v{right arrow over ( )}] of the column v{right arrow over ( )}including m pieces of values v₀, . . . , v_(m−1), the method comprising:a permutation data generation step in which a permutation datageneration unit generates permutation data <π_(i)> and <π′_(i)> so as togenerate permutation data <π_(L)> with respect to i=1, . . . , L−1; arandom ID column generation step in which a random ID column generationunit generates a random ID column [r{right arrow over ( )}_(i)] whichdoes not include mutually-overlapped values so as to generate a randomID column [r{right arrow over ( )}_(L)] which does not includemutually-overlapped values with respect to i=1, . . . , L−1; a secretrandom permutation step in which a secret random permutation unitperforms secret random permutation of a set composed of a random IDcolumn [r{right arrow over ( )}_(i−1)], a key column [k{right arrow over( )}_(i)], and the random ID column [r{right arrow over ( )}_(i)] withthe permutation data <π_(i)> so as to generate a set composed of apost-permutation random ID column π_(i)r{right arrow over ( )}_(i−1), apost-permutation key column [π_(i)k{right arrow over ( )}_(i)], and apost-permutation random ID column [π_(i)r{right arrow over ( )}_(i)] andperforms secret random permutation of a random ID column [r{right arrowover ( )}_(L−1)] with the permutation data <π_(L)> so as to generate apost-permutation random ID column π_(L)r{right arrow over ( )}_(L−1)with respect to i=1, . . . , L−1; a flag creation step in which a flagcreation unit determines whether or not k_(j)=h is satisfied withrespect to a key [k_(j)]=([k_(j,0)], . . . , [k_(j,L−1)]) in cases ofj=0, . . . , m−1 and h=0, . . . , L−1 so as to set a flag [f_(j,h)]; anorder table creation step in which an order table creation unit createsan order table [s{right arrow over ( )}:=(s₀, . . . , s_(m−1))], inwhich an order of each of the keys k₀, . . . , k_(m−1) in an ascendingorder is set, by using the flag [f_(j,h)]; and a sort permutationgeneration step in which a sort permutation generation unit performspermutation of the random ID column [r{right arrow over ( )}_(i)] by apermutation function σ_(i) so as to generate a post-permutation randomID column [σ_(i)r{right arrow over ( )}_(i)] with respect to i=0, . . ., L−1, performs secret random permutation of an order table [s{rightarrow over ( )}] and the post-permutation random ID column [σ_(i)r{rightarrow over ( )}_(i)] with the permutation data <π′_(i)> so as togenerate a post-permutation order table π′_(i)s{right arrow over ( )}and a post-permutation random ID column π′_(i)σ_(i)r{right arrow over ()}_(i), performs alignment of the post-permutation random ID columnπ′_(i)σ_(i)r{right arrow over ( )}_(i) based on the post-permutationorder table π′_(i)s{right arrow over ( )} so as to generate apost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i), setsa permutation function σ_(i+1)=s{right arrow over ( )}⁻¹σ_(i), equallycouples a set composed of a post-permutation random ID columnπ_(i+1)r{right arrow over ( )}_(i), a post-permutation key column[π_(i+1)k{right arrow over ( )}_(i+1)], and a post-permutation random IDcolumn [π_(i+1)r{right arrow over ( )}_(i+1)] with the post-alignmentrandom ID column π_(i+1)r{right arrow over ( )}_(i) by using thepost-permutation random ID column π_(i+1)r{right arrow over ( )}_(i) asa key with respect to generates a set composed of the post-alignmentrandom ID column σ_(i+1)r{right arrow over ( )}_(i), a post-alignmentkey column [σ_(i+1)k{right arrow over ( )}_(i+1)], and a post-alignmentrandom ID column [σ_(i+1)r{right arrow over ( )}_(i+1)], and equallycouples the post-permutation random ID column π_(L)r{right arrow over ()}_(L−1) with a post-alignment random ID column σ_(L)r{right arrow over( )}_(L−1) so as to generate sort permutation σπ⁻¹ _(L).
 2. A secretcalculation method in which a post-alignment value column [σv{rightarrow over ( )}]^(V), the post-alignment value column [σv{right arrowover ( )}]^(V) being obtained by performing alignment of a value columnv{right arrow over ( )}, is generated by inputting a set composed of asecret sharing value [k{right arrow over ( )}] of a column k{right arrowover ( )} including m pieces of keys k₀, . . . , k_(m−1) having L bitsand a secret sharing value [v{right arrow over ( )}] of the columnv{right arrow over ( )} including m pieces of values v₀, . . . ,v_(m−1), the method comprising: a permutation data generation step inwhich a permutation data generation unit generates permutation data<π_(i)> and <π′_(i)> so as to generate permutation data <π_(L)> withrespect to i=1, . . . , L−1; a random ID column generation step in whicha random ID column generation unit generates a random ID column [r{rightarrow over ( )}_(i)] which does not include mutually-overlapped valuesso as to generate a random ID column [r{right arrow over ( )}_(L)] whichdoes not include mutually-overlapped values with respect to i=1, . . . ,L−1; a secret random permutation step in which a secret randompermutation unit performs secret random permutation of a set composed ofa random ID column [r{right arrow over ( )}_(i−1)], a key column[k{right arrow over ( )}_(i)], and the random ID column [r{right arrowover ( )}_(i)] with the permutation data <π_(i)> so as to generate a setcomposed of a post-permutation random ID column π_(i)r{right arrow over( )}_(i−1), a post-permutation key column [π_(i)k{right arrow over ()}_(i)], and a post-permutation random ID column [π_(i)r{right arrowover ( )}_(i)] and performs secret random permutation of a set composedof a random ID column [r{right arrow over ( )}_(L−1)] and a value column[v{right arrow over ( )}]^(V) with the permutation data <π_(L)> so as togenerate a set composed of a post-permutation random ID columnπ_(L)r{right arrow over ( )}_(L−1) and a post-permutation value column[π_(L)v{right arrow over ( )}]^(V) with respect to i=1, . . . , L−1; aflag creation step in which a flag creation unit determines whether ornot k_(j)=h is satisfied with respect to a key [k_(j)]=([k_(j,0)], . . ., [k_(j,L−1)]) in cases of j=0, . . . , m−1 and h=0, . . . , L−1 so asto set a flag [f_(j,h)]; an order table creation step in which an ordertable creation unit creates an order table [s{right arrow over ()}:=(s₀, . . . , s_(m−1)], in which an order of each of the keys k₀, . .. , k_(m−1) in an ascending order is set, by using the flag [f_(j,h)];and an alignment step in which an alignment unit performs permutation ofthe random ID column [r{right arrow over ( )}_(i)] by a permutationfunction σ_(i) so as to generate a post-permutation random ID column[σ_(i)r{right arrow over ( )}_(i)] with respect to i=0, . . . , L−1,performs secret random permutation of an order table [s{right arrow over( )}] and the post-permutation random ID column [σ_(i)r{right arrow over( )}_(i)] with the permutation data <π′_(i)> so as to generate apost-permutation order table π′_(i)s{right arrow over ( )} and apost-permutation random ID column π′_(i)σ_(i)r{right arrow over ()}_(i), performs alignment of the post-permutation random ID columnπ′_(i)σ_(i)r{right arrow over ( )}_(i) based on the post-permutationorder table π′_(i)s{right arrow over ( )} so as to generate apost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i), setsa permutation function σ_(i+1)=s{right arrow over ( )}⁻¹σ_(i), equallycouples a set composed of a post-permutation random ID columnπ_(i+1)r{right arrow over ( )}_(i), a post-permutation key column[π_(i+1)k{right arrow over ( )}_(i+1)], and a post-permutation random IDcolumn [π_(i+1)r{right arrow over ( )}_(i+1)] with the post-alignmentrandom ID column σ_(i+1)r{right arrow over ( )}_(i) by using thepost-permutation random ID column π_(i+1)r{right arrow over ( )}_(i) asa key with respect to i=0, . . . , L−2, generates a set composed of thepost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i), apost-alignment key column [σ_(i+1)k{right arrow over ( )}_(i+1)], and apost-alignment random ID column [σ_(i+1)r{right arrow over ( )}_(i+1)],and equally couples a set composed of the post-permutation random IDcolumn π_(L)r{right arrow over ( )}_(L−1) and the post-permutation valuecolumn [π_(L)v{right arrow over ( )}]^(V) with a post-alignment randomID column σ_(L)r{right arrow over ( )}_(L−1) by using thepost-permutation random ID column π_(L)r{right arrow over ( )}_(L−1) asa key so as to generate the post-alignment value column [σv{right arrowover ( )}]^(V).
 3. The secret calculation method according to claim 1,further comprising: a value alignment step in which a value alignmentunit performs secret random permutation of the value column [v{rightarrow over ( )}] with the permutation data <π_(L)> so as to generate apost-permutation value column [π_(L)v{right arrow over ( )}] andperforms alignment of the post-permutation value column [π_(L)v{rightarrow over ( )}] based on the sort permutation σπ⁻ _(L) so as togenerate a post-alignment value column [σv{right arrow over ( )}].
 4. Asecret calculation system by which sort permutation σπ⁻¹ _(L) forperforming alignment of a value column v{right arrow over ( )} isgenerated by inputting a set composed of a secret sharing value [k{rightarrow over ( )}] of a column k{right arrow over ( )} including m piecesof keys k₀, . . . , k_(m−1) having L bits and a secret sharing value[v{right arrow over ( )}] of the column v{right arrow over ( )}including m pieces of values v₀, . . . , v_(m−1), the system comprising:a plurality of sorting devices; wherein the sorting devices include apermutation data generation unit which generates permutation data<π_(i)> and <π′_(i)> so as to generate permutation data <π_(L)> withrespect to i=1, . . . , L−1, a random ID column generation unit whichgenerates a random ID column [r{right arrow over ( )}_(i)] which doesnot include mutually-overlapped values so as to generate a random IDcolumn [r{right arrow over ( )}_(L)] which does not includemutually-overlapped values with respect to i=1, . . . , L−1, a secretrandom permutation unit which performs secret random permutation of aset composed of a random ID column [r{right arrow over ( )}_(i−1)], akey column [k{right arrow over ( )}_(i)], and the random ID column[r{right arrow over ( )}_(i)] with the permutation data <π_(i)> so as togenerate a set composed of a post-permutation random ID columnπ_(i)r{right arrow over ( )}_(i−1), a post-permutation key column[π_(i)k{right arrow over ( )}_(i)], and a post-permutation random IDcolumn [π_(i)r{right arrow over ( )}_(i)] and performs secret randompermutation of a random ID column [r{right arrow over ( )}_(L−1)] withthe permutation data <π_(L)> so as to generate a post-permutation randomID column π_(L)r{right arrow over ( )}_(L−1) with respect to i=1, . . ., L−1, a flag creation unit which determines whether or not k_(j)=h issatisfied with respect to a key [k_(j)]=([k_(j,0)], . . . , [k_(j,L−1)])in cases of j=0, . . . , m−1 and h=0, . . . , L−1 so as to set a flag[f_(j,h)], an order table creation unit which creates an order table[s{right arrow over ( )}:=(s₀, . . . , s_(m−1))], in which an order ofeach of the keys k₀, . . . , k_(m−1) in an ascending order is set, byusing the flag [f_(j,h)], and a sort permutation generation unit whichperforms permutation of the random ID column [r{right arrow over ()}_(i)] by a permutation function σ_(i) so as to generate apost-permutation random ID column [σ_(i)r{right arrow over ( )}_(i)]with respect to i=0, . . . , L−1, performs secret random permutation ofan order table [s{right arrow over ( )}] and the post-permutation randomID column [σ_(i)r{right arrow over ( )}_(i)] with the permutation data<π′_(i)> so as to generate a post-permutation order table π′_(i)s{rightarrow over ( )} and a post-permutation random ID columnπ′_(i)σ_(i)r{right arrow over ( )}_(i), performs alignment of thepost-permutation random ID column π′_(i)σ_(i)r{right arrow over ( )}_(i)based on the post-permutation order table π′_(i)s{right arrow over ( )}so as to generate a post-alignment random ID column σ_(i+1)r{right arrowover ( )}_(i), sets a permutation function σ_(i+1)=s{right arrow over ()}⁻¹σ_(i), equally couples a set composed of a post-permutation randomID column π_(i+1)r{right arrow over ( )}_(i), a post-permutation keycolumn [π_(i+1)k{right arrow over ( )}_(i+1)], and a post-permutationrandom ID column [π_(i+1)r{right arrow over ( )}_(i+1)] with thepost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i) byusing the post-permutation random ID column π_(i+1)r{right arrow over ()}_(i) as a key with respect to i=0, . . . , L−2, generates a setcomposed of the post-alignment random ID column σ_(i+1)r{right arrowover ( )}_(i), a post-alignment key column [σ_(i+1)k{right arrow over ()}_(i+1)], and a post-alignment random ID column [σ_(i+1)r{right arrowover ( )}_(i+1)], and equally couples the post-permutation random IDcolumn π_(L)r{right arrow over ( )}_(L−1) with a post-alignment randomID column σ_(L)r{right arrow over ( )}_(L−1) so as to generate sortpermutation σπ⁻¹ _(L).
 5. A secret calculation system by which apost-alignment value column [σv{right arrow over ( )}], thepost-alignment value column [σv{right arrow over ( )}] being obtained byperforming alignment of a value column v{right arrow over ( )}, isgenerated by inputting a set composed of a secret sharing value [k{rightarrow over ( )}] of a column k{right arrow over ( )} including m piecesof keys k₀, . . . , k_(m−1) having L bits and a secret sharing value[v{right arrow over ( )}] of the column v{right arrow over ( )}including m pieces of values v₀, . . . , v_(m−1), the system comprising:a plurality of sorting devices; wherein the sorting devices include apermutation data generation unit which generates permutation data<π_(i)> and <π′_(i)> so as to generate permutation data <π_(L)> withrespect to i=1, . . . , L−1, a random ID column generation unit whichgenerates a random ID column [r{right arrow over ( )}_(i)] which doesnot include mutually-overlapped values so as to generate a random IDcolumn [r{right arrow over ( )}_(L)] which does not includemutually-overlapped values with respect to i=1, . . . , L−1, a secretrandom permutation unit which performs secret random permutation of aset composed of a random ID column [r{right arrow over ( )}_(i−1)], akey column [k{right arrow over ( )}_(i)], and the random ID column[r{right arrow over ( )}_(i)] with the permutation data <π_(i)> so as togenerate a set composed of a post-permutation random ID columnπ_(i)r{right arrow over ( )}_(i−1), a post-permutation key column[π_(i)k{right arrow over ( )}_(i)], and a post-permutation random IDcolumn [π_(i)r{right arrow over ( )}_(i)] and performs secret randompermutation of a random ID column [r{right arrow over ( )}_(L−1)] and avalue column [v{right arrow over ( )}]^(V) with the permutation data[π_(L)v{right arrow over ( )}]^(V) so as to generate a post-permutationrandom ID column π_(L)r{right arrow over ( )}_(L−1) and apost-permutation value column [π_(L)v{right arrow over ( )}]^(V) withrespect to i=1, . . . , L−1, a flag creation unit which determineswhether or not k_(j)=h is satisfied with respect to a key[k_(j)]=([k_(j,0)], . . . , [k_(j,L−1)]) in cases of j=0, . . . , m−1and h=0, . . . , L−1 so as to set a flag [f_(j,h)], an order tablecreation unit which creates an order table [s{right arrow over ()}:=(s₀, . . . , s_(m−1))], in which an order of each of the keys k₀, .. . , k_(m−1) in an ascending order is set, by using the flag [f_(j,h)],and an alignment unit which performs permutation of the random ID column[r{right arrow over ( )}_(i)] by a permutation function σ_(i) so as togenerate a post-permutation random ID column [σ_(i)r{right arrow over ()}_(i)] with respect to i=0, . . . , L−1, performs secret randompermutation of an order table [s{right arrow over ( )}] and thepost-permutation random ID column [σ_(i)r{right arrow over ( )}_(i)]with the permutation data <π′_(i)> so as to generate a post-permutationorder table π′_(i)s{right arrow over ( )} and a post-permutation randomID column π′_(i)σ_(i)r{right arrow over ( )}_(i), performs alignment ofthe post-permutation random ID column π′_(i)σ_(i)r{right arrow over ()}_(i) based on the post-permutation order table π′_(i)s{right arrowover ( )} so as to generate a post-alignment random ID columnσ_(i+1)r{right arrow over ( )}_(i), sets a permutation functionσ_(i+1)=s{right arrow over ( )}⁻¹σ_(i), equally couples a set composedof a post-permutation random ID column π_(i+1)r{right arrow over ()}_(i), a post-permutation key column [π_(i+1)k{right arrow over ()}_(i+1)], and a post-permutation random ID column [π_(i+1)r{right arrowover ( )}_(i+1)] with the post-alignment random ID column σ_(i+1)r{rightarrow over ( )}_(i) by using the post-permutation random ID columnπ_(i+1)r{right arrow over ( )}_(i) as a key with respect to i=0, . . . ,L−2, generates a set composed of the post-alignment random ID columnσ_(i+1)r{right arrow over ( )}_(i), a post-alignment key column[σ_(i+1)k{right arrow over ( )}_(i+1)], and a post-alignment random IDcolumn [σ_(i+1)r{right arrow over ( )}_(i+1)], and equally couples a setcomposed of the post-permutation random ID column π_(L)r{right arrowover ( )}_(L−1) and the post-permutation value column [π_(L)v{rightarrow over ( )}]^(V) with a post-alignment random ID column σ_(L)r{rightarrow over ( )}_(L−1) by using the post-permutation random ID columnπ_(L)r{right arrow over ( )}_(L−1) as a key so as to generate thepost-alignment value column [σv{right arrow over ( )}]^(V).
 6. A sortingdevice which generates sort permutation σπ⁻¹ _(L) for performingalignment of a value column v{right arrow over ( )} by inputting a setcomposed of a secret sharing value [k{right arrow over ( )}] of a columnk{right arrow over ( )} including m pieces of keys k₀, . . . , k_(m−1)having L bits and a secret sharing value [v{right arrow over ( )}] ofthe column v{right arrow over ( )} including m pieces of values v₀, . .. , v_(m−1), the sorting device comprising: a permutation datageneration unit which generates permutation data <π_(i)> and <π′_(i)> soas to generate permutation data <π_(L)> with respect to i=1, . . . ,L−1, a random ID column generation unit which generates a random IDcolumn [r{right arrow over ( )}_(i)] which does not includemutually-overlapped values so as to generate a random ID column [r{rightarrow over ( )}_(L)] which does not include mutually-overlapped valueswith respect to i=1, . . . , L−1, a secret random permutation unit whichperforms secret random permutation of a set composed of a random IDcolumn [r{right arrow over ( )}_(i−1)], a key column [k{right arrow over( )}_(i)], and the random ID column [r{right arrow over ( )}_(i)] withthe permutation data <π_(i)> so as to generate a set composed of apost-permutation random ID column π_(i)r{right arrow over ( )}_(i−1), apost-permutation key column [π_(i)k{right arrow over ( )}_(i)], and apost-permutation random ID column [π_(i)r{right arrow over ( )}_(i)] andperforms secret random permutation of a random ID column [r{right arrowover ( )}_(L−1)] with the permutation data <π_(L)> so as to generate apost-permutation random ID column π_(L)r{right arrow over ( )}_(L−1)with respect to i=1, . . . , L−1, a flag creation unit which determineswhether or not k_(j)=h is satisfied with respect to a key[k_(j)]=([k_(j,0)], . . . , [k_(j,L−1)]) in cases of j=0, . . . , m−1and h=0, . . . , L−1 so as to set a flag [f_(j,h)], an order tablecreation unit which creates an order table [s{right arrow over ()}:=(s₀, . . . , s_(m−1))], in which an order of each of the keys k₀, .. . , k_(m−1) in an ascending order is set, by using the flag [f_(j,h)],and a sort permutation generation unit which performs permutation of therandom ID column [r{right arrow over ( )}_(i)] by a permutation functionG, so as to generate a post-permutation random ID column [σ_(i)r{rightarrow over ( )}_(i)] with respect to i=0, . . . , L−1, performs secretrandom permutation of an order table [s{right arrow over ( )}] and thepost-permutation random ID column [σ_(i)r{right arrow over ( )}_(i)]with the permutation data <π′_(i)> so as to generate a post-permutationorder table π′_(i){right arrow over ( )} and a post-permutation randomID column π′_(i)σ_(i)r{right arrow over ( )}_(i), performs alignment ofthe post-permutation random ID column π′_(i)σ_(i)r{right arrow over ()}_(i) based on the post-permutation order table π′_(i)s{right arrowover ( )} so as to generate a post-alignment random ID columnσ_(i+1)r{right arrow over ( )}_(i), sets a permutation functionσ_(i+1)=s{right arrow over ( )}⁻σ_(i), equally couples a set composed ofa post-permutation random ID column π_(i+1)r{right arrow over ( )}_(i),a post-permutation key column [π_(i+1)k{right arrow over ( )}_(i+1)],and a post-permutation random ID column [π_(i+1)r{right arrow over ()}_(i+1)] with the post-alignment random ID column σ_(i+1)r{right arrowover ( )}_(i) by using the post-permutation random ID columnπ_(i+1)r{right arrow over ( )}_(i) as a key with respect to i=0, . . . ,L−2, generates a set composed of the post-alignment random ID columnν_(i|1)r{right arrow over ( )}_(i), a post-alignment key column[σ_(i+1)k{right arrow over ( )}_(i+1)], and a post-alignment random IDcolumn [σ_(i+1)r{right arrow over ( )}_(i+1)], and equally couples thepost-permutation random ID column π_(L)r{right arrow over ( )}_(L−1)with a post-alignment random ID column σ_(L)r{right arrow over ()}_(L−1) so as to generate sort permutation σπ⁻¹ _(L).
 7. A sortingdevice which generates a post-alignment value column [σv{right arrowover ( )}]^(V), the post-alignment value column [σv{right arrow over ()}]^(V) being obtained by performing alignment of a value column v{rightarrow over ( )}, by inputting a set composed of a secret sharing value[k{right arrow over ( )}] of a column k{right arrow over ( )} includingm pieces of keys k₀, . . . k_(m−1) having L bits and a secret sharingvalue [v{right arrow over ( )}] of the column v{right arrow over ( )}including m pieces of values v₀, . . . , v_(m−1), the sorting devicecomprising: a permutation data generation unit which generatespermutation data <π_(i)> and <π′_(i)> so as to generate permutation data<π_(L)> with respect to i=1, . . . , L−1, a random ID column generationunit which generates a random ID column [r{right arrow over ( )}_(i)]which does not include mutually-overlapped values so as to generate arandom ID column [r{right arrow over ( )}_(L)] which does not includemutually-overlapped values with respect to i=1, . . . , L−1, a secretrandom permutation unit which performs secret random permutation of aset composed of a random ID column [r{right arrow over ( )}_(i−1)], akey column [k{right arrow over ( )}_(i)], and the random ID column[r{right arrow over ( )}_(i)] with the permutation data <π_(i)> so as togenerate a set composed of a post-permutation random ID columnπ_(i)r{right arrow over ( )}_(i−1), a post-permutation key column[π_(i)k{right arrow over ( )}_(i)], and a post-permutation random IDcolumn [π_(i)r{right arrow over ( )}_(i)] and performs secret randompermutation of a random ID column [r{right arrow over ( )}_(L−1)] and avalue column [v{right arrow over ( )}]^(V) with the permutation data<π_(L)> so as to generate a post-permutation random ID columnπ_(L)r{right arrow over ( )}_(L−1) and a post-permutation value column[π_(L)v{right arrow over ( )}]^(V) with respect to i=1, . . . , L−1, aflag creation unit which determines whether or not k_(j)=h is satisfiedwith respect to a key [k_(j)]=([k_(j,0)], . . . , [k_(j,L−1)]) in casesof j=0, . . . , m−1 and h=0, . . . , L−1 so as to set a flag [f_(j,h)],an order table creation unit which creates an order table [s{right arrowover ( )}:=(s₀, . . . , s_(m−1))], in which an order of each of the keysk₀, . . . , k_(m−1) in an ascending order is set, by using the flag[f_(j,h)], and an alignment unit which performs permutation of therandom ID column [r{right arrow over ( )}_(i)] by a permutation functionσ_(i) so as to generate a post-permutation random ID column[σ_(i)r{right arrow over ( )}_(i)] with respect to i=0, . . . , L−1,performs secret random permutation of an order table [s{right arrow over( )}] and the post-permutation random ID column [σ_(i)r{right arrow over( )}_(i)] with the permutation data <π′_(i)> so as to generate apost-permutation order table π′_(i)s{right arrow over ( )} and apost-permutation random ID column π′_(i)σ_(i)r{right arrow over ()}_(i), performs alignment of the post-permutation random ID columnπ′_(i)σ_(i)r{right arrow over ( )}_(i) based on the post-permutationorder table π′_(i)s{right arrow over ( )} so as to generate apost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i), setsa permutation function σ_(i+1)=s{right arrow over ( )}⁻¹σ_(i), equallycouples a set composed of a post-permutation random ID columnπ_(i+1)r{right arrow over ( )}_(i), a post-permutation key column[π_(i+1)k{right arrow over ( )}_(i+1)], and a post-permutation random IDcolumn [π_(i+1)r{right arrow over ( )}_(i+1)] with the post-alignmentrandom ID column σ_(i+1)r{right arrow over ( )}_(i) by using thepost-permutation random ID column π_(i+1)r{right arrow over ( )}_(i) asa key with respect to i=0, . . . , L−2, generates a set composed of thepost-alignment random ID column σ_(i+1)r{right arrow over ( )}_(i), apost-alignment key column [σ_(i|1)k{right arrow over ( )}_(i|1)], and apost-alignment random ID column [σ_(i|1)r{right arrow over ( )}_(i|1)],and equally couples a set composed of the post-permutation random IDcolumn π_(L)r{right arrow over ( )}_(L−1) and the post-permutation valuecolumn [π_(L)v{right arrow over ( )}]^(V) with a post-alignment randomID column σ_(L)r{right arrow over ( )}_(L−1) by using thepost-permutation random ID column π_(L)r{right arrow over ( )}_(L−1) asa key so as to generate the post-alignment value column [σv{right arrowover ( )}]^(V).
 8. A non-transitory computer readable medium includingcomputer executable instructions that make a computer function as thesorting device according to claim
 6. 9. A non-transitory computerreadable medium including computer executable instructions that make acomputer function as the sorting device according to claim 7.